Voting Machine Vulnerability Research

Elite computer scientists have repeatedly shown that America’s voting machines are open to fraudulent attack by industry insiders or malicious outsiders. Below are key reports produced by those researchers.

Abstract: Our analysis shows that this voting system [the Diebold AccuVote touchscreen] is far below even the most minimal security standards applicable in other contexts. We identify several problems including unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes.

We show that voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal software. Furthermore, we show that even the most serious of our outsider attacks could have been discovered and executed without access to the source code. In the face of such attacks, the usual worries about insider threats are not the only concerns; outsiders can do the damage.

That said, we demonstrate that the insider threat is also quite considerable, showing that not only can an insider, such as a poll worker, modify the votes, but that insiders can also violate voter privacy and match votes with the voters who cast them. We conclude that this voting system is unsuitable for use in a general election.

Computer security experts Harri Hursti and Herbert Thompson worked with Bev Harris of Black Box Voting to reveal that the Diebold precinct-based optical scan voting system can be hacked via their removable memory cards. Hursti found that the removable memory cards contain “an executable program which acts on the vote data.” Changing that executable program can “change the way the optical scan machine functions and the way the votes are reported.”

Hursti and Thompson demonstrated that it was possible to hide preloaded votes and to falsify the paper election results printout. “This attack vector maintains an illusion of integrity by producing false reports to match the contaminated central tabulator report,” writes Hursti.

Hursti also reported in 2006 on the Diebold touchscreen design, finding vulnerabilities that could enable a malicious actor to compromise the equipment years in advance:

Based on publicly available documentation, source code excerpts and testing performed with the system, there seem to be several backdoors to the system which are unacceptable from a security point of view. These backdoors ... allow the system to be modified in extremely flexible ways without even basic levels of security involved.

The Voting Technology Assessment Project at New York University convened a task force of researchers led by Lawrence Norden. They came to the following conclusion regarding voting system security (emphasis added):

Three fundamental points emerge from our security analysis: (1) All of the most commonly purchased electronic voting systems ... have significant security and reliability vulnerabilities, which pose a real danger to the integrity of national, state, and local elections. (2) The most troubling vulnerabilities of each system can be substantially remedied if proper countermeasures are implemented at the state and local level. (3) Few jurisdictions have implemented any of the key countermeasures that could make the least difficult attacks against voting systems much more difficult to execute successfully.

The Brennan Center’s Task Force on Voting System Security reviewed more than 120 potential threats to voting systems. Among its key conclusions was the finding that attacks involving the insertion of software attack programs or other corrupt software are the least difficult attacks against all electronic systems currently being purchased, when the goal is to change the outcome of a close statewide election. In addition, voting machines that have wireless components are significantly more vulnerable to a wide array of attacks.

The California secretary of state commissioned an in-depth review of voting machines, led by computer scientists from the University of California. The researchers were divided into two teams, one that looked at the source code from Diebold, Hart InterCivic, and Sequoia voting machines, and another that examined physical security and other factors. Their devastating conclusions led to the decertification of several voting machine models in California. Below are some of their findings (emphasis added).

Unsecured network interfaces: Network interfaces in the Hart system are not secured against direct attack. Voters can connect to unsecured network links in a polling place to subvert eSlates, as well as to eavesdrop on cast votes and to inject new votes. Poll workers can connect to JBCs or eScans over the management interfaces and perform back-office functions such as modifying the device software. The impact of this is that a malicious voter could potentially take over one or more eSlates in a precinct and a malicious poll worker could potentially take over all the devices in a precinct. The subverted machines could then be used to produce any results of the attacker’s choice, regardless of voter input. We emphasize that these are not bugs in the Hart software, but rather features intentionally designed into the system which can be used in a fashion for which they were never intended.

Cryptography: Many of the security features of the Sequoia system, particularly those that protect the integrity of precinct results, employ cryptography. Unfortunately, in every case we examined the cryptography is easily circumvented. Many cryptographic functions are implemented incorrectly, based on weak algorithms with known flaws, or used in an ineffective or insecure manner. Of particular concern is the fact that virtually all cryptographic key material is permanently hardcoded in the system (and is apparently identical in all Sequoia hardware shipped to different jurisdictions). This means that an individual who gains temporary access to similar hardware (inside California or elsewhere) can extract and obtain the secret cryptographic keys that protect elections in every California county that uses the system.

Susceptibility to viruses: The Diebold system is susceptible to computer viruses that propagate from voting machine to voting machine and between voting machines and the election management system. A virus could allow an attacker who only had access to a few machines or memory cards, or possibly to only one, to spread malicious software to most, if not all, of a county’s voting machines. Thus, large-scale election fraud in the Diebold system does not necessarily require physical access to a large number of voting machines.

The red teams demonstrated that security for all the systems they tested was inadequate to ensure the accuracy and integrity of election results. The vulnerabilities ranged from physical security such as ineffective seals or easily bypassed locks, to major flaws in the election management system that would give attackers direct access to election databases and allow insertion of malicious programs. For details on each system, see the following reports: Diebold, Hart InterCivic, Sequoia.

The Ohio secretary of state commissioned a security review of touchscreen and optical scan voting systems made by Elections Systems & Software, Hart InterCivic, and Premier Election Systems. (Diebold technology was rebranded as Premier Election Systems, later acquired by ES&S, and subsequently purchased by Dominion Voting Systems.) The research was conducted by three teams, at Pennsylvania State University, the University of Pennsylvania, and WebWise Security, Inc. They issued the following summary statement (emphasis added):

We found vulnerabilities in different vendor systems that would, for example, allow voters and poll-workers to place multiple votes, to infect the precinct with virus software, or to corrupt previously cast votes—sometimes irrevocably. Further problems persist at the election headquarters, where election software ... could be compromised by viruses arriving from precincts, or by an attacker with seconds at the controller terminal. These latter security failures could expose precinct or county-wide ballots and tallies to widespread manipulation.

Two characteristics of the all of the vendor systems emerged from our analysis bear further comment. First, the systems exhibited a near universal lack of effective protections against insiders. Unmonitored poll-workers and election officials could exploit security failures to circumvent protections or misuse software features to manipulate voting equipment, vote counts, and audit information. Second, there was a pervasive lack of quality in the implementation (coding and manufacturing) of these systems. Failures were present in almost every device and software module we investigated. Such problems may lead to serious stability issues, and are the source of many security issues.

Our review concludes that the vendor systems lack basic technical protections necessary to guarantee a trustworthy election. Thus, we strongly believe that the integrity of the election relies almost entirely on the physical procedures used to carry out the election. We further conclude that some weaknesses are of a depth and magnitude that formulating reliable and workable procedural safeguards will be a very difficult task.

Computer scientists evaluated the Sequoia voting machines used in New Jersey and elsewhere. They concluded that the AVC Advantage is “too insecure to use.” They reported the following in their executive summary (emphasis added):

The AVC Advantage 9.00 is easily “hacked,” by the installation of fraudulent firmware. This is done by prying just one ROM chip from its socket and pushing a new one in, or by replacement of the Z80 processor chip. We have demonstrated that this “hack” takes just 7 minutes to perform.

The fraudulent firmware can steal votes during an election, just as its criminal designer programs it to do. The fraud cannot practically be detected. There is no paper audit trail on this machine; all electronic records of the votes are under control of the firmware, which can manipulate them all simultaneously.

Without even touching a single AVC Advantage, an attacker can install fraudulent firmware into many AVC Advantage machines by viral propagation through audio-ballot cartridges. The virus can steal the votes of blind voters, can cause AVC Advantages in targeted precincts to fail to operate; or can cause WinEDS software to tally votes inaccurately.

AVC Advantage Results Cartridges can be easily manipulated to change votes, after the polls are closed but before results from different precincts are cumulated together.

Wired magazine reported in August 2015 on the long overdue decision to decertify AVS WINVote machines in Virginia. State researchers found that vote data could be modified remotely using the system’s wireless network, along with a host of other vulnerabilities:

Physical security was easily circumvented

The Windows XP operating system had not been patched since 2005

Weak WEP wireless encryption key: abcde

Mobile phones were able to connect to the wireless network

Disabling the wireless setting did not stop the network card from transmitting